diff options
author | Tom Rini <trini@konsulko.com> | 2020-08-24 17:28:18 -0400 |
---|---|---|
committer | Tom Rini <trini@konsulko.com> | 2020-08-24 17:28:18 -0400 |
commit | 3c0cec035e5b06b638fb52ccd7383bbd5bcede35 (patch) | |
tree | 5dfb658a5a4376ab257dfccdbc51f2e301fd0256 | |
parent | 1aa3966173fe92fa3c46638ee8eb8b8491f521d6 (diff) | |
parent | 2b3fbcb59f4174e455a6285eaddf1426ed3e76c5 (diff) | |
download | u-boot-WIP/24Aug2020.tar.gz |
Merge tag 'efi-2020-10-rc3-3' of https://gitlab.denx.de/u-boot/custodians/u-boot-efiWIP/24Aug2020
Pull request for UEFI sub-system for efi-2020-10-rc3 (3)
The following bug fixes are contained in this pull-request:
* ResetSystem() should no hang if not implemented.
* Device paths in Bootxxxx variables should be verified.
* Use ':' as separator for command setenv -e -i instead of ','.
* Correct comments for functions.
* Update UEFI documentation.
-rw-r--r-- | cmd/bootefi.c | 4 | ||||
-rw-r--r-- | cmd/nvedit_efi.c | 2 | ||||
-rw-r--r-- | doc/uefi/uefi.rst | 18 | ||||
-rw-r--r-- | include/efi_loader.h | 2 | ||||
-rw-r--r-- | include/efi_variable.h | 1 | ||||
-rw-r--r-- | include/linux/kernel.h | 3 | ||||
-rw-r--r-- | lib/efi_loader/efi_bootmgr.c | 6 | ||||
-rw-r--r-- | lib/efi_loader/efi_device_path.c | 33 | ||||
-rw-r--r-- | lib/efi_loader/efi_runtime.c | 7 | ||||
-rw-r--r-- | lib/efi_selftest/Makefile | 1 | ||||
-rw-r--r-- | lib/efi_selftest/efi_selftest.c | 10 | ||||
-rw-r--r-- | lib/efi_selftest/efi_selftest_reset.c | 58 | ||||
-rw-r--r-- | test/lib/Makefile | 1 | ||||
-rw-r--r-- | test/lib/efi_device_path.c | 50 | ||||
-rw-r--r-- | test/py/tests/test_efi_secboot/test_authvar.py | 60 | ||||
-rw-r--r-- | test/py/tests/test_efi_secboot/test_signed.py | 46 | ||||
-rw-r--r-- | test/py/tests/test_efi_secboot/test_signed_intca.py | 24 | ||||
-rw-r--r-- | test/py/tests/test_efi_secboot/test_unsigned.py | 18 |
18 files changed, 252 insertions, 92 deletions
diff --git a/cmd/bootefi.c b/cmd/bootefi.c index fbfed54e85..06563d28ca 100644 --- a/cmd/bootefi.c +++ b/cmd/bootefi.c @@ -304,7 +304,11 @@ efi_status_t efi_install_fdt(void *fdt) /** * do_bootefi_exec() - execute EFI binary * + * The image indicated by @handle is started. When it returns the allocated + * memory for the @load_options is freed. + * * @handle: handle of loaded image + * @load_options: load options * Return: status code * * Load the EFI binary into a newly assigned memory unwinding the relocation diff --git a/cmd/nvedit_efi.c b/cmd/nvedit_efi.c index 8e31f43e1f..094c0e8098 100644 --- a/cmd/nvedit_efi.c +++ b/cmd/nvedit_efi.c @@ -473,7 +473,7 @@ int do_env_set_efi(struct cmd_tbl *cmdtp, int flag, int argc, argc--; argv++; addr = simple_strtoul(argv[0], &ep, 16); - if (*ep != ',') + if (*ep != ':') return CMD_RET_USAGE; /* 0 should be allowed for delete */ diff --git a/doc/uefi/uefi.rst b/doc/uefi/uefi.rst index a72e729cc8..07eb3f01b4 100644 --- a/doc/uefi/uefi.rst +++ b/doc/uefi/uefi.rst @@ -59,6 +59,10 @@ Below you find the output of an example session starting GRUB:: 120832 bytes read in 7 ms (16.5 MiB/s) => bootefi ${kernel_addr_r} ${fdt_addr_r} +The bootefi command uses the device, the file name, and the file size +(environment variable 'filesize') of the most recently loaded file when setting +up the binary for execution. So the UEFI binary should be loaded last. + The environment variable 'bootargs' is passed as load options in the UEFI system table. The Linux kernel EFI stub uses the load options as command line arguments. @@ -169,11 +173,11 @@ Sign an image with one of the keys in "db" on your host Now in U-Boot install the keys on your board:: fatload mmc 0:1 <tmpaddr> PK.auth - setenv -e -nv -bs -rt -at -i <tmpaddr>,$filesize PK + setenv -e -nv -bs -rt -at -i <tmpaddr>:$filesize PK fatload mmc 0:1 <tmpaddr> KEK.auth - setenv -e -nv -bs -rt -at -i <tmpaddr>,$filesize KEK + setenv -e -nv -bs -rt -at -i <tmpaddr>:$filesize KEK fatload mmc 0:1 <tmpaddr> db.auth - setenv -e -nv -bs -rt -at -i <tmpaddr>,$filesize db + setenv -e -nv -bs -rt -at -i <tmpaddr>:$filesize db Set up boot parameters on your board:: @@ -217,13 +221,13 @@ which has to be enabled via CONFIG_SUPPORT_EMMC_RPMB=y. Executing the boot manager ~~~~~~~~~~~~~~~~~~~~~~~~~~ -The UEFI specification foresees to define boot entries and boot sequence via UEFI -variables. Booting according to these variables is possible via:: +The UEFI specification foresees to define boot entries and boot sequence via +UEFI variables. Booting according to these variables is possible via:: bootefi bootmgr [fdt address] -As of U-Boot v2018.03 UEFI variables are not persisted and cannot be set at -runtime. +As of U-Boot v2020.10 UEFI variables cannot be set at runtime. The U-Boot +command 'efidebug' can be used to set the variables. Executing the built in hello world application ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ diff --git a/include/efi_loader.h b/include/efi_loader.h index 50a17a33ca..0baa1d2324 100644 --- a/include/efi_loader.h +++ b/include/efi_loader.h @@ -631,6 +631,8 @@ efi_status_t efi_dp_from_name(const char *dev, const char *devnr, const char *path, struct efi_device_path **device, struct efi_device_path **file); +ssize_t efi_dp_check_length(const struct efi_device_path *dp, + const size_t maxlen); #define EFI_DP_TYPE(_dp, _type, _subtype) \ (((_dp)->type == DEVICE_PATH_TYPE_##_type) && \ diff --git a/include/efi_variable.h b/include/efi_variable.h index 60491cb640..4704a3c16e 100644 --- a/include/efi_variable.h +++ b/include/efi_variable.h @@ -274,7 +274,6 @@ efi_get_next_variable_name_mem(efi_uintn_t *variable_name_size, u16 *variable_na * @data: buffer to which the variable value is copied * @timep: authentication time (seconds since start of epoch) * Return: status code - */ efi_status_t __efi_runtime efi_get_variable_mem(u16 *variable_name, const efi_guid_t *vendor, u32 *attributes, diff --git a/include/linux/kernel.h b/include/linux/kernel.h index b88c210065..3e71d61074 100644 --- a/include/linux/kernel.h +++ b/include/linux/kernel.h @@ -19,6 +19,9 @@ #ifndef SIZE_MAX #define SIZE_MAX (~(size_t)0) #endif +#ifndef SSIZE_MAX +#define SSIZE_MAX ((ssize_t)(SIZE_MAX >> 1)) +#endif #define U8_MAX ((u8)~0U) #define S8_MAX ((s8)(U8_MAX>>1)) diff --git a/lib/efi_loader/efi_bootmgr.c b/lib/efi_loader/efi_bootmgr.c index 1e06e60963..61dc72a23d 100644 --- a/lib/efi_loader/efi_bootmgr.c +++ b/lib/efi_loader/efi_bootmgr.c @@ -105,10 +105,8 @@ efi_status_t efi_deserialize_load_option(struct efi_load_option *lo, u8 *data, if (*size < len) return EFI_INVALID_PARAMETER; lo->file_path = (struct efi_device_path *)data; - /* - * TODO: validate device path. There should be an end node within - * the indicated file_path_length. - */ + if (efi_dp_check_length(lo->file_path, len) < 0) + return EFI_INVALID_PARAMETER; data += len; *size -= len; diff --git a/lib/efi_loader/efi_device_path.c b/lib/efi_loader/efi_device_path.c index 7ae14f3423..8a5c13c424 100644 --- a/lib/efi_loader/efi_device_path.c +++ b/lib/efi_loader/efi_device_path.c @@ -1127,3 +1127,36 @@ efi_status_t efi_dp_from_name(const char *dev, const char *devnr, return EFI_SUCCESS; } + +/** + * efi_dp_check_length() - check length of a device path + * + * @dp: pointer to device path + * @maxlen: maximum length of the device path + * Return: + * * length of the device path if it is less or equal @maxlen + * * -1 if the device path is longer then @maxlen + * * -1 if a device path node has a length of less than 4 + * * -EINVAL if maxlen exceeds SSIZE_MAX + */ +ssize_t efi_dp_check_length(const struct efi_device_path *dp, + const size_t maxlen) +{ + ssize_t ret = 0; + u16 len; + + if (maxlen > SSIZE_MAX) + return -EINVAL; + for (;;) { + len = dp->length; + if (len < 4) + return -1; + ret += len; + if (ret > maxlen) + return -1; + if (dp->type == DEVICE_PATH_TYPE_END && + dp->sub_type == DEVICE_PATH_SUB_TYPE_END) + return ret; + dp = (const struct efi_device_path *)((const u8 *)dp + len); + } +} diff --git a/lib/efi_loader/efi_runtime.c b/lib/efi_loader/efi_runtime.c index 78fd8014d9..dea2b4e5ee 100644 --- a/lib/efi_loader/efi_runtime.c +++ b/lib/efi_loader/efi_runtime.c @@ -365,7 +365,9 @@ out: * efi_reset_system() - reset system * * This function implements the ResetSystem() runtime service after - * SetVirtualAddressMap() is called. It only executes an endless loop. + * SetVirtualAddressMap() is called. As this placeholder cannot reset the + * system it simply return to the caller. + * * Boards may override the helpers below to implement reset functionality. * * See the Unified Extensible Firmware Interface (UEFI) specification for @@ -381,8 +383,7 @@ void __weak __efi_runtime EFIAPI efi_reset_system( efi_status_t reset_status, unsigned long data_size, void *reset_data) { - /* Nothing we can do */ - while (1) { } + return; } /** diff --git a/lib/efi_selftest/Makefile b/lib/efi_selftest/Makefile index 45ce6859b8..85fe8e1216 100644 --- a/lib/efi_selftest/Makefile +++ b/lib/efi_selftest/Makefile @@ -31,6 +31,7 @@ efi_selftest_mem.o \ efi_selftest_memory.o \ efi_selftest_open_protocol.o \ efi_selftest_register_notify.o \ +efi_selftest_reset.o \ efi_selftest_set_virtual_address_map.o \ efi_selftest_textinput.o \ efi_selftest_textinputex.o \ diff --git a/lib/efi_selftest/efi_selftest.c b/lib/efi_selftest/efi_selftest.c index 5b01610eca..6eec8ae2a7 100644 --- a/lib/efi_selftest/efi_selftest.c +++ b/lib/efi_selftest/efi_selftest.c @@ -5,6 +5,7 @@ * Copyright (c) 2017 Heinrich Schuchardt <xypron.glpk@gmx.de> */ +#include <command.h> #include <efi_selftest.h> #include <vsprintf.h> @@ -309,8 +310,13 @@ efi_status_t EFIAPI efi_selftest(efi_handle_t image_handle, /* Reset system */ efi_st_printf("Preparing for reset. Press any key...\n"); efi_st_get_key(); - runtime->reset_system(EFI_RESET_WARM, EFI_NOT_READY, - sizeof(reset_message), reset_message); + + if (IS_ENABLED(CONFIG_EFI_HAVE_RUNTIME_RESET)) + runtime->reset_system(EFI_RESET_WARM, EFI_NOT_READY, + sizeof(reset_message), reset_message); + else + do_reset(NULL, 0, 0, NULL); + efi_st_printf("\n"); efi_st_error("Reset failed\n"); diff --git a/lib/efi_selftest/efi_selftest_reset.c b/lib/efi_selftest/efi_selftest_reset.c new file mode 100644 index 0000000000..8b6ac24cb1 --- /dev/null +++ b/lib/efi_selftest/efi_selftest_reset.c @@ -0,0 +1,58 @@ +// SPDX-License-Identifier: GPL-2.0+ +/* + * efi_selftest_reset + * + * Copyright (c) 2020 Heinrich Schuchardt <xypron.glpk@gmx.de> + * + * This test checks the following service at boot time or runtime: + * ResetSystem() + */ + +#include <efi_selftest.h> + +static struct efi_runtime_services *runtime; + +/* + * Setup unit test. + * + * @handle: handle of the loaded image + * @systable: system table + * @return: EFI_ST_SUCCESS for success + */ +static int setup(const efi_handle_t handle, + const struct efi_system_table *systable) +{ + runtime = systable->runtime; + return EFI_ST_SUCCESS; +} + +/* + * Execute unit test. + * + * @return: EFI_ST_SUCCESS for success + */ +static int execute(void) +{ + u16 reset_data[] = L"Reset by selftest"; + + runtime->reset_system(EFI_RESET_COLD, EFI_SUCCESS, + sizeof(reset_data), reset_data); + efi_st_error("Reset failed.\n"); + return EFI_ST_FAILURE; +} + +EFI_UNIT_TEST(reset) = { + .name = "reset system", + .phase = EFI_EXECUTE_BEFORE_BOOTTIME_EXIT, + .setup = setup, + .execute = execute, + .on_request = true, +}; + +EFI_UNIT_TEST(resetrt) = { + .name = "reset system runtime", + .phase = EFI_SETUP_BEFORE_BOOTTIME_EXIT, + .setup = setup, + .execute = execute, + .on_request = true, +}; diff --git a/test/lib/Makefile b/test/lib/Makefile index b6a0a208c5..ada62fe46b 100644 --- a/test/lib/Makefile +++ b/test/lib/Makefile @@ -3,6 +3,7 @@ # (C) Copyright 2018 # Mario Six, Guntermann & Drunck GmbH, mario.six@gdsys.cc obj-y += cmd_ut_lib.o +obj-$(CONFIG_EFI_LOADER) += efi_device_path.o obj-$(CONFIG_EFI_SECURE_BOOT) += efi_image_region.o obj-y += hexdump.o obj-y += lmb.o diff --git a/test/lib/efi_device_path.c b/test/lib/efi_device_path.c new file mode 100644 index 0000000000..24e2f23c5a --- /dev/null +++ b/test/lib/efi_device_path.c @@ -0,0 +1,50 @@ +// SPDX-License-Identifier: GPL-2.0+ +/* + * Test device path functions + * + * Copyright (c) 2020 Heinrich Schuchardt <xypron.glpk@gmx.de> + */ + +#include <common.h> +#include <efi_loader.h> +#include <test/lib.h> +#include <test/test.h> +#include <test/ut.h> + +static int lib_test_efi_dp_check_length(struct unit_test_state *uts) +{ + /* end of device path */ + u8 d1[] __aligned(2) = { + 0x7f, 0xff, 0x04, 0x00 }; + /* device path node with length less then 4 */ + u8 d2[] __aligned(2) = { + 0x01, 0x02, 0x02, 0x00, 0x04, 0x00, 0x7f, 0xff, 0x04, 0x00 }; + /* well formed device path */ + u8 d3[] __aligned(2) = { + 0x03, 0x02, 0x08, 0x00, 0x01, 0x00, 0x01, 0x00, + 0x7f, 0xff, 0x04, 0x00 }; + + struct efi_device_path *p1 = (struct efi_device_path *)d1; + struct efi_device_path *p2 = (struct efi_device_path *)d2; + struct efi_device_path *p3 = (struct efi_device_path *)d3; + + ut_asserteq((ssize_t)-EINVAL, efi_dp_check_length(p1, SIZE_MAX)); + ut_asserteq((ssize_t)sizeof(d1), efi_dp_check_length(p1, sizeof(d1))); + ut_asserteq((ssize_t)sizeof(d1), + efi_dp_check_length(p1, sizeof(d1) + 4)); + ut_asserteq((ssize_t)-1, efi_dp_check_length(p1, sizeof(d1) - 1)); + + ut_asserteq((ssize_t)-1, efi_dp_check_length(p2, sizeof(d2))); + + ut_asserteq((ssize_t)-1, efi_dp_check_length(p3, sizeof(d3) - 1)); + ut_asserteq((ssize_t)sizeof(d3), efi_dp_check_length(p3, sizeof(d3))); + ut_asserteq((ssize_t)sizeof(d3), efi_dp_check_length(p3, SSIZE_MAX)); + ut_asserteq((ssize_t)-EINVAL, + efi_dp_check_length(p3, (size_t)SSIZE_MAX + 1)); + ut_asserteq((ssize_t)sizeof(d3), + efi_dp_check_length(p3, sizeof(d3) + 4)); + + return 0; +} + +LIB_TEST(lib_test_efi_dp_check_length, 0); diff --git a/test/py/tests/test_efi_secboot/test_authvar.py b/test/py/tests/test_efi_secboot/test_authvar.py index d0c6b9035b..f99b8270a6 100644 --- a/test/py/tests/test_efi_secboot/test_authvar.py +++ b/test/py/tests/test_efi_secboot/test_authvar.py @@ -38,14 +38,14 @@ class TestEfiAuthVar(object): # Test Case 1b, PK without AUTHENTICATED_WRITE_ACCESS output = u_boot_console.run_command_list([ 'fatload host 0:1 4000000 PK.auth', - 'setenv -e -nv -bs -rt -i 4000000,$filesize PK']) + 'setenv -e -nv -bs -rt -i 4000000:$filesize PK']) assert 'Failed to set EFI variable' in ''.join(output) with u_boot_console.log.section('Test Case 1c'): # Test Case 1c, install PK output = u_boot_console.run_command_list([ 'fatload host 0:1 4000000 PK.auth', - 'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK', + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize PK', 'printenv -e -n PK']) assert 'PK:' in ''.join(output) @@ -60,24 +60,24 @@ class TestEfiAuthVar(object): # Test Case 1d, db/dbx without KEK output = u_boot_console.run_command_list([ 'fatload host 0:1 4000000 db.auth', - 'setenv -e -nv -bs -rt -at -i 4000000,$filesize db']) + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize db']) assert 'Failed to set EFI variable' in ''.join(output) output = u_boot_console.run_command_list([ 'fatload host 0:1 4000000 db.auth', - 'setenv -e -nv -bs -rt -at -i 4000000,$filesize dbx']) + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize dbx']) assert 'Failed to set EFI variable' in ''.join(output) with u_boot_console.log.section('Test Case 1e'): # Test Case 1e, install KEK output = u_boot_console.run_command_list([ 'fatload host 0:1 4000000 KEK.auth', - 'setenv -e -nv -bs -rt -i 4000000,$filesize KEK']) + 'setenv -e -nv -bs -rt -i 4000000:$filesize KEK']) assert 'Failed to set EFI variable' in ''.join(output) output = u_boot_console.run_command_list([ 'fatload host 0:1 4000000 KEK.auth', - 'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK', + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize KEK', 'printenv -e -n KEK']) assert 'KEK:' in ''.join(output) @@ -89,12 +89,12 @@ class TestEfiAuthVar(object): # Test Case 1f, install db output = u_boot_console.run_command_list([ 'fatload host 0:1 4000000 db.auth', - 'setenv -e -nv -bs -rt -i 4000000,$filesize db']) + 'setenv -e -nv -bs -rt -i 4000000:$filesize db']) assert 'Failed to set EFI variable' in ''.join(output) output = u_boot_console.run_command_list([ 'fatload host 0:1 4000000 db.auth', - 'setenv -e -nv -bs -rt -at -i 4000000,$filesize db', + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize db', 'printenv -e -n -guid d719b2cb-3d3a-4596-a3bc-dad00e67656f db']) assert 'Failed to set EFI variable' not in ''.join(output) assert 'db:' in ''.join(output) @@ -107,12 +107,12 @@ class TestEfiAuthVar(object): # Test Case 1g, install dbx output = u_boot_console.run_command_list([ 'fatload host 0:1 4000000 dbx.auth', - 'setenv -e -nv -bs -rt -i 4000000,$filesize dbx']) + 'setenv -e -nv -bs -rt -i 4000000:$filesize dbx']) assert 'Failed to set EFI variable' in ''.join(output) output = u_boot_console.run_command_list([ 'fatload host 0:1 4000000 dbx.auth', - 'setenv -e -nv -bs -rt -at -i 4000000,$filesize dbx', + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize dbx', 'printenv -e -n -guid d719b2cb-3d3a-4596-a3bc-dad00e67656f dbx']) assert 'Failed to set EFI variable' not in ''.join(output) assert 'dbx:' in ''.join(output) @@ -132,32 +132,32 @@ class TestEfiAuthVar(object): output = u_boot_console.run_command_list([ 'host bind 0 %s' % disk_img, 'fatload host 0:1 4000000 PK.auth', - 'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK', + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize PK', 'fatload host 0:1 4000000 KEK.auth', - 'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK', + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize KEK', 'fatload host 0:1 4000000 db.auth', - 'setenv -e -nv -bs -rt -at -i 4000000,$filesize db', + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize db', 'printenv -e -n -guid d719b2cb-3d3a-4596-a3bc-dad00e67656f db']) assert 'Failed to set EFI variable' not in ''.join(output) assert 'db:' in ''.join(output) output = u_boot_console.run_command_list([ 'fatload host 0:1 4000000 db1.auth', - 'setenv -e -nv -bs -rt -i 4000000,$filesize db']) + 'setenv -e -nv -bs -rt -i 4000000:$filesize db']) assert 'Failed to set EFI variable' in ''.join(output) with u_boot_console.log.section('Test Case 2b'): # Test Case 2b, update without correct signature output = u_boot_console.run_command_list([ 'fatload host 0:1 4000000 db.esl', - 'setenv -e -nv -bs -rt -at -i 4000000,$filesize db']) + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize db']) assert 'Failed to set EFI variable' in ''.join(output) with u_boot_console.log.section('Test Case 2c'): # Test Case 2c, update with correct signature output = u_boot_console.run_command_list([ 'fatload host 0:1 4000000 db1.auth', - 'setenv -e -nv -bs -rt -at -i 4000000,$filesize db', + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize db', 'printenv -e -n -guid d719b2cb-3d3a-4596-a3bc-dad00e67656f db']) assert 'Failed to set EFI variable' not in ''.join(output) assert 'db:' in ''.join(output) @@ -173,32 +173,32 @@ class TestEfiAuthVar(object): output = u_boot_console.run_command_list([ 'host bind 0 %s' % disk_img, 'fatload host 0:1 4000000 PK.auth', - 'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK', + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize PK', 'fatload host 0:1 4000000 KEK.auth', - 'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK', + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize KEK', 'fatload host 0:1 4000000 db.auth', - 'setenv -e -nv -bs -rt -at -i 4000000,$filesize db', + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize db', 'printenv -e -n -guid d719b2cb-3d3a-4596-a3bc-dad00e67656f db']) assert 'Failed to set EFI variable' not in ''.join(output) assert 'db:' in ''.join(output) output = u_boot_console.run_command_list([ 'fatload host 0:1 4000000 db1.auth', - 'setenv -e -nv -bs -rt -a -i 4000000,$filesize db']) + 'setenv -e -nv -bs -rt -a -i 4000000:$filesize db']) assert 'Failed to set EFI variable' in ''.join(output) with u_boot_console.log.section('Test Case 3b'): # Test Case 3b, update without correct signature output = u_boot_console.run_command_list([ 'fatload host 0:1 4000000 db.esl', - 'setenv -e -nv -bs -rt -at -a -i 4000000,$filesize db']) + 'setenv -e -nv -bs -rt -at -a -i 4000000:$filesize db']) assert 'Failed to set EFI variable' in ''.join(output) with u_boot_console.log.section('Test Case 3c'): # Test Case 3c, update with correct signature output = u_boot_console.run_command_list([ 'fatload host 0:1 4000000 db1.auth', - 'setenv -e -nv -bs -rt -at -a -i 4000000,$filesize db', + 'setenv -e -nv -bs -rt -at -a -i 4000000:$filesize db', 'printenv -e -n -guid d719b2cb-3d3a-4596-a3bc-dad00e67656f db']) assert 'Failed to set EFI variable' not in ''.join(output) assert 'db:' in ''.join(output) @@ -214,11 +214,11 @@ class TestEfiAuthVar(object): output = u_boot_console.run_command_list([ 'host bind 0 %s' % disk_img, 'fatload host 0:1 4000000 PK.auth', - 'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK', + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize PK', 'fatload host 0:1 4000000 KEK.auth', - 'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK', + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize KEK', 'fatload host 0:1 4000000 db.auth', - 'setenv -e -nv -bs -rt -at -i 4000000,$filesize db', + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize db', 'printenv -e -n -guid d719b2cb-3d3a-4596-a3bc-dad00e67656f db']) assert 'Failed to set EFI variable' not in ''.join(output) assert 'db:' in ''.join(output) @@ -248,18 +248,18 @@ class TestEfiAuthVar(object): output = u_boot_console.run_command_list([ 'host bind 0 %s' % disk_img, 'fatload host 0:1 4000000 PK.auth', - 'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK', + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize PK', 'fatload host 0:1 4000000 KEK.auth', - 'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK', + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize KEK', 'fatload host 0:1 4000000 db.auth', - 'setenv -e -nv -bs -rt -at -i 4000000,$filesize db', + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize db', 'printenv -e -n PK']) assert 'Failed to set EFI variable' not in ''.join(output) assert 'PK:' in ''.join(output) output = u_boot_console.run_command_list([ 'fatload host 0:1 4000000 PK_null.esl', - 'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK', + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize PK', 'printenv -e -n PK']) assert 'Failed to set EFI variable' in ''.join(output) assert 'PK:' in ''.join(output) @@ -268,7 +268,7 @@ class TestEfiAuthVar(object): # Test Case 5b, Uninstall PK with correct signature output = u_boot_console.run_command_list([ 'fatload host 0:1 4000000 PK_null.auth', - 'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK', + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize PK', 'printenv -e -n PK']) assert 'Failed to set EFI variable' not in ''.join(output) assert '\"PK\" not defined' in ''.join(output) diff --git a/test/py/tests/test_efi_secboot/test_signed.py b/test/py/tests/test_efi_secboot/test_signed.py index 1443ba7b62..863685e215 100644 --- a/test/py/tests/test_efi_secboot/test_signed.py +++ b/test/py/tests/test_efi_secboot/test_signed.py @@ -53,9 +53,9 @@ class TestEfiSignedImage(object): output = u_boot_console.run_command_list([ 'host bind 0 %s' % disk_img, 'fatload host 0:1 4000000 KEK.auth', - 'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK', + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize KEK', 'fatload host 0:1 4000000 PK.auth', - 'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK']) + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize PK']) assert 'Failed to set EFI variable' not in ''.join(output) output = u_boot_console.run_command_list([ 'efidebug boot add 1 HELLO1 host 0:1 /helloworld.efi.signed ""', @@ -74,7 +74,7 @@ class TestEfiSignedImage(object): # Test Case 2b, authenticated by db output = u_boot_console.run_command_list([ 'fatload host 0:1 4000000 db.auth', - 'setenv -e -nv -bs -rt -at -i 4000000,$filesize db']) + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize db']) assert 'Failed to set EFI variable' not in ''.join(output) output = u_boot_console.run_command_list([ 'efidebug boot next 2', @@ -97,11 +97,11 @@ class TestEfiSignedImage(object): output = u_boot_console.run_command_list([ 'host bind 0 %s' % disk_img, 'fatload host 0:1 4000000 db.auth', - 'setenv -e -nv -bs -rt -at -i 4000000,$filesize dbx', + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize dbx', 'fatload host 0:1 4000000 KEK.auth', - 'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK', + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize KEK', 'fatload host 0:1 4000000 PK.auth', - 'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK']) + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize PK']) assert 'Failed to set EFI variable' not in ''.join(output) output = u_boot_console.run_command_list([ 'efidebug boot add 1 HELLO host 0:1 /helloworld.efi.signed ""', @@ -114,7 +114,7 @@ class TestEfiSignedImage(object): # Test Case 3b, rejected by dbx even if db allows output = u_boot_console.run_command_list([ 'fatload host 0:1 4000000 db.auth', - 'setenv -e -nv -bs -rt -at -i 4000000,$filesize db']) + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize db']) assert 'Failed to set EFI variable' not in ''.join(output) output = u_boot_console.run_command_list([ 'efidebug boot next 1', @@ -133,13 +133,13 @@ class TestEfiSignedImage(object): output = u_boot_console.run_command_list([ 'host bind 0 %s' % disk_img, 'fatload host 0:1 4000000 dbx_hash.auth', - 'setenv -e -nv -bs -rt -at -i 4000000,$filesize dbx', + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize dbx', 'fatload host 0:1 4000000 db.auth', - 'setenv -e -nv -bs -rt -at -i 4000000,$filesize db', + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize db', 'fatload host 0:1 4000000 KEK.auth', - 'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK', + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize KEK', 'fatload host 0:1 4000000 PK.auth', - 'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK']) + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize PK']) assert 'Failed to set EFI variable' not in ''.join(output) output = u_boot_console.run_command_list([ 'efidebug boot add 1 HELLO host 0:1 /helloworld.efi.signed ""', @@ -162,11 +162,11 @@ class TestEfiSignedImage(object): output = u_boot_console.run_command_list([ 'host bind 0 %s' % disk_img, 'fatload host 0:1 4000000 db.auth', - 'setenv -e -nv -bs -rt -at -i 4000000,$filesize db', + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize db', 'fatload host 0:1 4000000 KEK.auth', - 'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK', + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize KEK', 'fatload host 0:1 4000000 PK.auth', - 'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK']) + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize PK']) assert 'Failed to set EFI variable' not in ''.join(output) output = u_boot_console.run_command_list([ 'efidebug boot add 1 HELLO host 0:1 /helloworld.efi.signed_2sigs ""', @@ -178,7 +178,7 @@ class TestEfiSignedImage(object): # Test Case 5b, authenticated if both signatures are verified output = u_boot_console.run_command_list([ 'fatload host 0:1 4000000 db1.auth', - 'setenv -e -nv -bs -rt -at -a -i 4000000,$filesize db']) + 'setenv -e -nv -bs -rt -at -a -i 4000000:$filesize db']) assert 'Failed to set EFI variable' not in ''.join(output) output = u_boot_console.run_command_list([ 'efidebug boot next 1', @@ -190,7 +190,7 @@ class TestEfiSignedImage(object): # certificate) is revoked output = u_boot_console.run_command_list([ 'fatload host 0:1 4000000 dbx_hash.auth', - 'setenv -e -nv -bs -rt -at -i 4000000,$filesize dbx']) + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize dbx']) assert 'Failed to set EFI variable' not in ''.join(output) output = u_boot_console.run_command_list([ 'efidebug boot next 1', @@ -201,7 +201,7 @@ class TestEfiSignedImage(object): # Test Case 5d, rejected if both of signatures are revoked output = u_boot_console.run_command_list([ 'fatload host 0:1 4000000 dbx_hash1.auth', - 'setenv -e -nv -bs -rt -at -a -i 4000000,$filesize dbx']) + 'setenv -e -nv -bs -rt -at -a -i 4000000:$filesize dbx']) assert 'Failed to set EFI variable' not in ''.join(output) output = u_boot_console.run_command_list([ 'efidebug boot next 1', @@ -220,11 +220,11 @@ class TestEfiSignedImage(object): output = u_boot_console.run_command_list([ 'host bind 0 %s' % disk_img, 'fatload host 0:1 4000000 db_hello_signed.auth', - 'setenv -e -nv -bs -rt -at -i 4000000,$filesize db', + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize db', 'fatload host 0:1 4000000 KEK.auth', - 'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK', + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize KEK', 'fatload host 0:1 4000000 PK.auth', - 'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK']) + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize PK']) assert 'Failed to set EFI variable' not in ''.join(output) output = u_boot_console.run_command_list([ 'efidebug boot add 1 HELLO host 0:1 /helloworld.efi.signed ""', @@ -236,7 +236,7 @@ class TestEfiSignedImage(object): # Test Case 6b, rejected by TEST_db certificate in dbx output = u_boot_console.run_command_list([ 'fatload host 0:1 4000000 dbx_db.auth', - 'setenv -e -nv -bs -rt -at -i 4000000,$filesize dbx']) + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize dbx']) assert 'Failed to set EFI variable' not in ''.join(output) output = u_boot_console.run_command_list([ 'efidebug boot next 1', @@ -248,9 +248,9 @@ class TestEfiSignedImage(object): # Test Case 6c, rejected by image's digest in dbx output = u_boot_console.run_command_list([ 'fatload host 0:1 4000000 db.auth', - 'setenv -e -nv -bs -rt -at -i 4000000,$filesize db', + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize db', 'fatload host 0:1 4000000 dbx_hello_signed.auth', - 'setenv -e -nv -bs -rt -at -i 4000000,$filesize dbx']) + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize dbx']) assert 'Failed to set EFI variable' not in ''.join(output) output = u_boot_console.run_command_list([ 'efidebug boot next 1', diff --git a/test/py/tests/test_efi_secboot/test_signed_intca.py b/test/py/tests/test_efi_secboot/test_signed_intca.py index 1e5f4d04b3..70d6be00e8 100644 --- a/test/py/tests/test_efi_secboot/test_signed_intca.py +++ b/test/py/tests/test_efi_secboot/test_signed_intca.py @@ -31,11 +31,11 @@ class TestEfiSignedImageIntca(object): output = u_boot_console.run_command_list([ 'host bind 0 %s' % disk_img, 'fatload host 0:1 4000000 db_c.auth', - 'setenv -e -nv -bs -rt -at -i 4000000,$filesize db', + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize db', 'fatload host 0:1 4000000 KEK.auth', - 'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK', + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize KEK', 'fatload host 0:1 4000000 PK.auth', - 'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK']) + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize PK']) assert 'Failed to set EFI variable' not in ''.join(output) output = u_boot_console.run_command_list([ @@ -64,9 +64,9 @@ class TestEfiSignedImageIntca(object): output = u_boot_console.run_command_list([ 'host bind 0 %s' % disk_img, 'fatload host 0:1 4000000 KEK.auth', - 'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK', + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize KEK', 'fatload host 0:1 4000000 PK.auth', - 'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK']) + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize PK']) assert 'Failed to set EFI variable' not in ''.join(output) output = u_boot_console.run_command_list([ @@ -80,7 +80,7 @@ class TestEfiSignedImageIntca(object): # Test Case 2b, signed and authenticated by root CA output = u_boot_console.run_command_list([ 'fatload host 0:1 4000000 db_b.auth', - 'setenv -e -nv -bs -rt -at -i 4000000,$filesize db', + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize db', 'efidebug boot next 1', 'efidebug test bootmgr']) assert '\'HELLO_abc\' failed' in ''.join(output) @@ -90,7 +90,7 @@ class TestEfiSignedImageIntca(object): # Test Case 2c, signed and authenticated by root CA output = u_boot_console.run_command_list([ 'fatload host 0:1 4000000 db_c.auth', - 'setenv -e -nv -bs -rt -at -i 4000000,$filesize db', + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize db', 'efidebug boot next 1', 'efidebug test bootmgr']) assert 'Hello, world!' in ''.join(output) @@ -106,13 +106,13 @@ class TestEfiSignedImageIntca(object): output = u_boot_console.run_command_list([ 'host bind 0 %s' % disk_img, 'fatload host 0:1 4000000 dbx_b.auth', - 'setenv -e -nv -bs -rt -at -i 4000000,$filesize dbx', + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize dbx', 'fatload host 0:1 4000000 db_c.auth', - 'setenv -e -nv -bs -rt -at -i 4000000,$filesize db', + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize db', 'fatload host 0:1 4000000 KEK.auth', - 'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK', + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize KEK', 'fatload host 0:1 4000000 PK.auth', - 'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK']) + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize PK']) assert 'Failed to set EFI variable' not in ''.join(output) output = u_boot_console.run_command_list([ @@ -128,7 +128,7 @@ class TestEfiSignedImageIntca(object): # Test Case 3b, revoked by root CA in dbx output = u_boot_console.run_command_list([ 'fatload host 0:1 4000000 dbx_c.auth', - 'setenv -e -nv -bs -rt -at -i 4000000,$filesize dbx', + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize dbx', 'efidebug boot next 1', 'efidebug test bootmgr']) assert '\'HELLO_abc\' failed' in ''.join(output) diff --git a/test/py/tests/test_efi_secboot/test_unsigned.py b/test/py/tests/test_efi_secboot/test_unsigned.py index c4c3f4c202..56f56e19eb 100644 --- a/test/py/tests/test_efi_secboot/test_unsigned.py +++ b/test/py/tests/test_efi_secboot/test_unsigned.py @@ -29,9 +29,9 @@ class TestEfiUnsignedImage(object): output = u_boot_console.run_command_list([ 'host bind 0 %s' % disk_img, 'fatload host 0:1 4000000 KEK.auth', - 'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK', + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize KEK', 'fatload host 0:1 4000000 PK.auth', - 'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK']) + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize PK']) assert 'Failed to set EFI variable' not in ''.join(output) output = u_boot_console.run_command_list([ @@ -56,11 +56,11 @@ class TestEfiUnsignedImage(object): output = u_boot_console.run_command_list([ 'host bind 0 %s' % disk_img, 'fatload host 0:1 4000000 db_hello.auth', - 'setenv -e -nv -bs -rt -at -i 4000000,$filesize db', + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize db', 'fatload host 0:1 4000000 KEK.auth', - 'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK', + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize KEK', 'fatload host 0:1 4000000 PK.auth', - 'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK']) + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize PK']) assert 'Failed to set EFI variable' not in ''.join(output) output = u_boot_console.run_command_list([ @@ -80,11 +80,11 @@ class TestEfiUnsignedImage(object): output = u_boot_console.run_command_list([ 'host bind 0 %s' % disk_img, 'fatload host 0:1 4000000 db_hello.auth', - 'setenv -e -nv -bs -rt -at -i 4000000,$filesize dbx', + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize dbx', 'fatload host 0:1 4000000 KEK.auth', - 'setenv -e -nv -bs -rt -at -i 4000000,$filesize KEK', + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize KEK', 'fatload host 0:1 4000000 PK.auth', - 'setenv -e -nv -bs -rt -at -i 4000000,$filesize PK']) + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize PK']) assert 'Failed to set EFI variable' not in ''.join(output) output = u_boot_console.run_command_list([ @@ -102,7 +102,7 @@ class TestEfiUnsignedImage(object): # Test Case 3b, rejected by dbx even if db allows output = u_boot_console.run_command_list([ 'fatload host 0:1 4000000 db_hello.auth', - 'setenv -e -nv -bs -rt -at -i 4000000,$filesize db']) + 'setenv -e -nv -bs -rt -at -i 4000000:$filesize db']) assert 'Failed to set EFI variable' not in ''.join(output) output = u_boot_console.run_command_list([ |